|
Pretty sure it's a licensing thing. I installed a 5505 not too long ago, and it came with the VPN client. He got an unlimited address license with a few VPN's though.
|
#
?
May 14, 2009 21:06
|
|
|
|
| # ? May 31, 2024 18:24 |
|
|
For what it's worth, this is an ASA 5505, unlimited users, with the Security Plus license.
|
|
#
?
May 14, 2009 21:10
|
|
|
I have a network of a dozen or so 2960s (ipbase) that connect to a 6509 core (adventerprise). There's a 2Gbps internet connection going directly to the core. How can I guarantee each port on the 2960s a minimum amount of the internet bandwidth without affecting normal network traffic? I've looked into rate limiting, but I'm not sure how to avoid affecting internal network traffic. I also don't know what rules would need to go on the 2960s vs. the 6509. Ideally, each 2960 port will have, say, 1.5Mbps guaranteed internet bandwidth, burstable if there's free capacity on the internet line. Access to anything else on the network should be have no rate limit. Any guidance or pointers to docs would be appreciated.
|
|
#
?
May 19, 2009 04:38
|
|
|
Is there a default management IP address for a 2960G? My usb to serial adapter won't arrive till wednesday, so I'm gonna spend all tomorrow in the colo staring at this switch I can't configure.
|
|
#
?
May 19, 2009 05:15
|
|
|
StabbinHobo posted:Is there a default management IP address for a 2960G? My usb to serial adapter won't arrive till wednesday, so I'm gonna spend all tomorrow in the colo staring at this switch I can't configure. Is it a brand new 2960G, cleared config and everything? Because if so, it will only have VLAN1 with no IP address set. I had a similar problem with a 3560G. Depending on the infrastructure you have around, you could make it join a VTP/SNMP domain, default name cisco for both, and from there maybe nudge some configuration onto it. Otherwise I think you might be SOL. You could also try setting up a DHCP server and see if it grabs an IP Address, but if its default config, then you will be SOL for that as well.
|
|
#
?
May 19, 2009 06:06
|
|
|
Powercrazy posted:Is it a brand new 2960G, cleared config and everything? Because if so, it will only have VLAN1 with no IP address set. I had a similar problem with a 3560G. Depending on the infrastructure you have around, you could make it join a VTP/SNMP domain, default name cisco for both, and from there maybe nudge some configuration onto it. Otherwise I think you might be SOL. yep, fresh out of the box. I think you have it, SOL.
|
|
#
?
May 19, 2009 06:19
|
|
|
Anyone purchased ACS lately? I am needing to do 802.1x and rather than push it off on the Systems guys, I'd like to drop in two redundant ACS boxes to kick back to AD for 802.1x and management of devices. I am not sure how the pricing works, nor I have had much time to research it. Is it by device authenticating? flat price for each appliance?
|
|
#
?
May 19, 2009 15:51
|
|
|
routenull0 posted:Anyone purchased ACS lately? I am needing to do 802.1x and rather than push it off on the Systems guys, I'd like to drop in two redundant ACS boxes to kick back to AD for 802.1x and management of devices. I'm pretty sure it's flat pricing. I think they're about $8,0000 a piece, or thereabouts, if you buy the appliance. I wouldn't buy the appliance, actually- and this is coming from someone that has two of them. It seems easier, in retrospect, to simply let your systems team handle the OS on a commodity x86 server of your choice brand and then you can drop the ACS software on top of it. The appliances are a little tweaky. Speaking of 802.1x, I'm beginning my 802.1x project next month. We have a lot of shared edge ports, however, so it's going to be a big challenge.
|
|
#
?
May 19, 2009 16:00
|
|
|
Minus Pants posted:I have a network of a dozen or so 2960s (ipbase) that connect to a 6509 core (adventerprise). There's a 2Gbps internet connection going directly to the core. How can I guarantee each port on the 2960s a minimum amount of the internet bandwidth without affecting normal network traffic? I've looked into rate limiting, but I'm not sure how to avoid affecting internal network traffic. I also don't know what rules would need to go on the 2960s vs. the 6509. When you say "without affecting normal network traffic," what do you mean? Can you elaborate? You're going to have more flexibility on the 6509 side, so I'd start there. Specifically, MQC matching an ACL on a SVI might be the best approach. I know there are MQC caveats on the 6509, but I'm no expert. You might need to do some research.
|
|
#
?
May 19, 2009 16:08
|
|
|
StabbinHobo posted:Is there a default management IP address for a 2960G? My usb to serial adapter won't arrive till wednesday, so I'm gonna spend all tomorrow in the colo staring at this switch I can't configure. Get an old school console cable (the ones that are rj-45 on both ends); connect it to the aux port on another router & reverse telnet to the aux port.
|
|
#
?
May 19, 2009 16:37
|
|
|
StabbinHobo posted:yep, fresh out of the box. I think you have it, SOL. Go to staples and buy one. When yours comes in just return it.
|
|
#
?
May 19, 2009 16:53
|
|
|
My company purchased a few Aironet 1142N APs and a 2106 Wireless LAN Controller. I'm having difficulties setting up a "public" WLAN and think I'm missing some crucial step. I have setup an interface that is: name: PUBLIC port: 2 vlan id: 2 ip: 10.100.100.5 sn: 255.255.255.0 gw: 10.100.100.1 dhcp1: 10.100.100.1 10.100.100.1 (LAN side) is a Linksys router that has DHCP server enabled and hands out IPs for that network. There is an Ethernet connection between ETH1 on Linksys router and port 2 on the Cisco WLC. The public WLAN is configured to use interface "PUBLIC" My clients will associate to the AP, but they will not obtain an IP address from 10.100.100.1 and manually assigning an IP address to the clients does not work either. Did I miss something here? thanks
|
|
#
?
May 19, 2009 18:57
|
|
|
Have you tried to see if the access points even have connectivity to your linksys router?
|
|
#
?
May 19, 2009 19:08
|
|
|
These are the autonomous access points. I'm not sure how I would test that without the WLC being mixed in there. If I assign the PUBLIC WLAN to the management interface I can get an IP address from the DHCP server assigned to that interface and connect to that part of the network. The management interface is vlan0 untagged on port 1. The Linksys router is running dd-wrt 2.4 sp1.
|
|
#
?
May 19, 2009 19:20
|
|
|
I wasn't aware that the linksys router could do anything with vlan tagging. Does the WLAN controller have an internal DHCP server? If so, that might be an option and just have the linksys do routing for the public wireless lan.
|
|
#
?
May 19, 2009 20:12
|
|
|
From what I recall each ssid needs a subinterface on the lan interface. The AP forms a trunk to a switch & bridges vlans to ssids.
|
|
#
?
May 19, 2009 20:12
|
|
|
martyb posted:These are the autonomous access points. I'm not sure how I would test that without the WLC being mixed in there. I think you mean they're lightweight APs. Are you handing a trunk to the 2106? You'll need to make sure that you're handing VLAN 2 tagged to the 2106, and that the interface configuration mentions the same port that you're handing VLAN 2 off on (as 802.1q tagged). edit: Something like this, maybe:   
jwh fucked around with this message at 21:07 on May 19, 2009 |
|
#
?
May 19, 2009 20:59
|
|
|
jwh posted:When you say "without affecting normal network traffic," what do you mean? Can you elaborate? I found some examples that involved rate limiting ALL traffic across a port to a fixed bandwidth. That would fulfill the internet guarantee, but make the internal network generally unusable. I could rate limit only internet traffic (the inverse of my network subnet), but then network traffic could saturate the uplink (at least that's what I've gathered from a few hours poking around in Cisco docs..would I use QoS to fix this?). Ultimately I want to guarantee the 1.5mbps for internet regardless of other network traffic, but still allow the internet bandwidth to burst. I'm mostly struggling with what pieces go on the 2960 vs. the 6509 (QoS/traffic shaping newb)
|
|
#
?
May 20, 2009 02:25
|
|
|
Minus Pants posted:I found some examples that involved rate limiting ALL traffic across a port to a fixed bandwidth. That would fulfill the internet guarantee, but make the internal network generally unusable. I could rate limit only internet traffic (the inverse of my network subnet), but then network traffic could saturate the uplink (at least that's what I've gathered from a few hours poking around in Cisco docs..would I use QoS to fix this?). Ultimately I want to guarantee the 1.5mbps for internet regardless of other network traffic, but still allow the internet bandwidth to burst. I'm mostly struggling with what pieces go on the 2960 vs. the 6509 (QoS/traffic shaping newb) I'm not very knowledgeable about the intricacies of 6500 QoS, but I can tell you that you will more than likely need to become intimately familiar with hardware queues and mls qos. You could, for instance, dump all of your Internet traffic into a separate hardware queue and then assign different wrr queue weights to guarantee available bandwidth to each queue. As for the 1.5mbps commitment, that's where I'm really scratching my head, because a policer is going to clamp you to that 1.5, either on a flow basis or a vlan basis, and that's not what you want. You can't mqc shape (to my knowledge) on the 6500 either, so that's also out. You may have to just assign different queue weights and hope for the best. What is your ISP router? Is that a software forwarding platform by any chance? You have a lot more flexibility there when it comes to shaping.
|
|
#
?
May 20, 2009 03:16
|
|
|
Here is something you guys might find interesting. I had an 1841 set up with 1 point to point t1 and an internet connection along with 2 sub interfaces on 2 separate vlans. I had policy based routing enabled and ACLs put in place so that traffic on vlan 2 would only route across the internet connection. Well, when it was all set up, I found that I had IP connectivity with no trouble whatsoever, but name resolution would absolutely not occur via this vlan. I went back and forth with this for days thinking I was insane. So, me being a relative newbie with cisco gear, call up my vendor and have them sick their engineer on it. He also is having a huge time figuring this out. He goes so far as to get in tough with the ISP and finds that what is happening is that the name resolution requests are getting sent properly but they are being sourced from the wrong interface, so therefore the responses are not getting back. They both end up spending about a week in testing with cisco's engineers and lo and behold: we found a new previously unknown IOS bug. Just thought it was interesting. I have never been privy to finding unknown flaws or bugs before.
|
|
#
?
May 20, 2009 15:01
|
|
|
Well, I'm a relative new-comer to Cisco. I started out after uni as a database developer, then moved away to systems administration and have moved again, now toward Cisco and network engineering. I'm enjoying it, after calling Windows servers my thing for a few years it's an easy choice for me. Studying for CCNA now, looking longingly down the CCSP track. It looks like a long road but with some cool payoff at the end. Anyways, here is my stupid little question. I was configuring a 521G WAP today, the grey square ones used with the UC range. The bitch was, I couldn't execute the 'configure' command from the exec prompt when connected via telnet. It just wasn't an option, but when I connected via console port I could. After screwing around a bit I got sick of it and logged a TAC request. The engineer wrote back 'sorry, that feature doesn't exist'. He suggested using the web GUI or connecting via console cable. Now, why is that? Is it a security thing to prevent the WAPs being configured remotely? p.s. I took off the 'lightweight' operating system (whatever it's called, I dunno!) and put on IOS 12.4. So it had full functionality, nothing should restricted unless intentionally.
|
|
#
?
May 22, 2009 15:19
|
|
|
Tony Montana posted:p.s. I took off the 'lightweight' operating system (whatever it's called, I dunno!) and put on IOS 12.4. So it had full functionality, nothing should restricted unless intentionally. Lightweight mode APs are intentionally restricted. Their config is stored on a management server. Nothing is capable of being changed at the end AP.
|
|
#
?
May 22, 2009 15:26
|
|
|
Q. Can the Cisco IOSŪ command-line interface (CLI) be used to manage the Cisco Mobility Express Solution? A. Because the objective of the Cisco SBCS was to create a simplified management system and interface for SMB customers, the CLI is limited to troubleshooting (SHO/DEBUG) commands only and cannot be used for configuration.
|
|
#
?
May 22, 2009 15:45
|
|
|
inignot posted:Lightweight mode APs are intentionally restricted. Their config is stored on a management server. Nothing is capable of being changed at the end AP. jwh posted:Q. Can the Cisco IOSŪ command-line interface (CLI) be used to manage the Cisco Mobility Express Solution? Yeah, but I said I took off the lightweight operating system. Once I'd put on the full version of IOS, I then wrote my configuration directly to the WAP. The procedure is somewhere on the Cisco site. The point was only via telnet I couldn't type 'config t', while by console cable I could. Also, I'd like to vouch for the online training available through the PEC (Partner Education Centre). So far the info has been great, detailed and well illustrated. It's like a lecture that I can pause and take a note or adjust something. If your employer is a Cisco partner and you're considering doing Cisco certs, you'd have access to the course materials for free. It's just the CCNA from what I can see, I'd have to go to instructor led classes for the later certs.
|
|
#
?
May 22, 2009 15:49
|
|
|
Tony Montana posted:Yeah, but I said I took off the lightweight operating system. Once I'd put on the full version of IOS, I then wrote my configuration directly to the WAP. The procedure is somewhere on the Cisco site. The point was only via telnet I couldn't type 'config t', while by console cable I could. I'm not sure the express series run a fully fledged IOS, do they? I had always thought Cisco intended for them to be managed with CCA/CNA. I hear what you're saying about being able to conf t via console though, and I don't have an answer. When you go conf t via console, do you have a full configuration command set?
|
|
#
?
May 22, 2009 15:57
|
|
|
Geez, I didn't realize what I had been doing was so uncommon. Particularly from you jwh, you're quite the Cisco tech from what I've been reading. If by the 'express series' you mean the ones with 'L' in the model number (meaning lightweight I guess), they ship with the cut-down IOS you mention. But, you can take it off and put on the full version. Since you lot are a nice enough bunch, I've even remoted into the work network and gotten my notes for you (in-case someone wants to do this). me posted:Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30. Even though the 521 isn't listed in that, it still works. It'll pull down the IOS and use that instead, so yeah the full configuration command set via console. It was dumbass sales people ordering wrong poo poo that made me have to find this out. Is the 'L' cheaper than the full version?
|
|
#
?
May 22, 2009 16:27
|
|
|
This is my first time setting up an ASA from scratch. I have a /29 block of WAN addresses, but only want the ASA to deal with one of them (let's say 10.1.1.37). I want to forward all SMTP traffic to an inside host (192.168.1.2). I've set up the ACLs and bound it to the outside interface, but the packet trace always shows that the traffic is dropped. If I try to set up a static NAT map like static (inside,outside) 10.1.1.37 192.168.1.2 netmask 255.255.255.255 0 0 I get ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address When I replace the IP with the 'interface' keyword static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 0 0[/fixed] I get WARNING: static redirecting all traffics at outside interface; WARNING: all services terminating at outside interface are disabled. edit: figured it out. The ACL entry was wrong. I had: access-list acl_out extended permit tcp any host 192.168.1.2 eq smtp access-group acl_out in interface outside static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 It should have been: access-list acl_out extended permit tcp any host 10.1.1.37 eq smtp access-group acl_out in interface outside static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 Richard Noggin fucked around with this message at 19:02 on May 22, 2009 |
|
#
?
May 22, 2009 16:37
|
|
|
Don't you just want to do a port forward? Like on a 800 series router(assuming your outside interface is Dialer0, which it won't be): ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25 I didn't even know what a ASA was (I had to look it up lol), so I maybe completely wrong. Also the syntax maybe completely different. Tony Montana fucked around with this message at 16:57 on May 22, 2009 |
|
#
?
May 22, 2009 16:53
|
|
|
Yup, I just want a simple port forward, but I've been banging my head for several hours. I can't even get the loving thing working through the web GUI.
|
|
#
?
May 22, 2009 16:58
|
|
|
Those steps look familiar. I received a demo AP from Cisco that was in lightweight mode, that's about what I had to do to get it in autonomous mode. I don't recall having any trouble getting into config mode after that.
|
|
#
?
May 22, 2009 17:07
|
|
|
Probably a long shot, but I'm looking to buy a couple of very high-end ESR blades (ESR-1COC12-SMI). If you have anybody has one, or is able to put me in touch with someone who does, I will be your best friend and in addition I will give you money.
|
|
#
?
May 22, 2009 17:14
|
|
|
Tony Montana posted:Geez, I didn't realize what I had been doing was so uncommon. Particularly from you jwh, you're quite the Cisco tech from what I've been reading. Well, there's two kinds of wireless access points that Cisco offers, the lightweight (L) variety, and the autonomous variety. The lightweight variety is a newer, more distributed architecture, where a lot of the control-plane functions have been put on a wireless LAN controller (such as a Cisco 2100 or 4400 series), and the access points themselves are dumbed down to simply act as radios. Normally, a lightweight access point will boot up, grab an IP address via DHCP, and then build a tunnel to the wireless LAN controller, after which all client wireless data is encapsulated via the tunnel and sent over to the controller for processing. The autonomous access points tend to manage up like traditional IOS based devices, with radio interfaces and ethernet interfaces that you can configure textually. And, like you've noticed, you can migrate access points between the autonomous and lightweight images. If you're ordering them new, the part numbers are AIR-AP521G-x-K9 for the autonomous version, and AIR-LAP521G-x-K9 for the lightweight version. The thing is, the 521 is an express series, as part of the SBCS portfolio, and that's where I'm getting tripped up- I had always thought that express series equipment (such as the express switches) didn't run a full-blown IOS, and were meant to be managed with a GUI tool, such as Cisco Network Assistant or Cisco Configuration Assistant. I'm much more familiar with the CUWN portfolio, which includes the 1100/1200 series APs and 2100 / 4400 controllers. But I don't know, if you can console your 521 in autonomous mode and go into config t, then I would definitely think that you'd be able to go into config t via telnet also. However, Cisco might have disabled that as a way to force you into buying "enterprise" access points if you want to manage them like traditional IOS devices. I'm no authority on this stuff, I'm just reading this from here: http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7319/ps7338/prod_qas0900aecd8060c860.html
|
|
#
?
May 22, 2009 17:23
|
|
|
Just wanted to share a great resource for ASA troubleshooting - the ASA order of operations - NAT, VPN, ACLs etc. http://www.uberpackethacker.com/2007/08/cisco-asa-rule-addition-template.html
|
|
#
?
May 23, 2009 02:42
|
|
|
jwh posted:However, Cisco might have disabled that as a way to force you into buying "enterprise" access points if you want to manage them like traditional IOS devices. Yeah, that's probably it. As for the CCA configuration, I did start down that track when I first started learning. I quickly realised that investing the time into IOS was the only way I was going to properly understand what I was doing, I'm one of those guys that hates fluffing on the edges of a technology. Either learn it properly to the extent I can consider specialization in it, or don't bother. If Windows systems administration has taught me anything, it's that being a general guy with general knowledge leads to general (average) paychecks and general (average) working conditions. Just like the medical field, it's the guys that really nail down something important that earn the salaries we all want. Ok, another question. How anal are you lot with security in general? Always SSH to a device to configure it, no telnet? Big 10 character complex passwords set on both access and enable on all your devices? Huge ACL lists that make another network engineer wince when they look at one of your configs? Every tunnel has encryption and remote management is only allowed for certain WAN IPs through ACLs? I'm just interested to know. We've got a couple of Cisco contractors we call on when it gets above my head, these guys are completely crazy for this stuff. I've got sites where I've done none of the above and they are fine (for the moment I guess!), but they are fairly small networks. Once you hit the big leagues (1000 users and up) is this stuff expected of all implementations?
|
|
#
?
May 24, 2009 04:06
|
|
|
Tony Montana posted:Yeah, that's probably it. With the exception of regulator-influenced configurations what you described is pretty accurate as far as best-practices go. If there isn't a good reason for a certain source to have access on a non-encrypted protocol....you shouldnt have it. Yes while it is nice to have unfettered SSH from your house IP address, VPN in. It makes auditors spaz out less. On the ACL note, you can make 932838737 lines of ACLs that will anger and confuse engineers after your time, however object-group(ing) your devices will make the configuration many things: 1) Maintainable - easy to add new servers 2) Readable - Object group X gets TCP 80,443,3389. done in one entry. 3) Scalable - To add a brand new server to some predecessors with the same port allowances, you simply add a name entry and a group entry. Done.
|
|
#
?
May 24, 2009 06:03
|
|
|
Tony Montana posted:Ok, another question. How anal are you lot with security in general? Always SSH to a device to configure it, no telnet? Big 10 character complex passwords set on both access and enable on all your devices? Huge ACL lists that make another network engineer wince when they look at one of your configs? Every tunnel has encryption and remote management is only allowed for certain WAN IPs through ACLs? SSH yes, although it can be difficult to get everything in your environment running a crypto image. We have four-hundred IOS devices under management, and a small handful, probably no more than a dozen, are still telnet for administration. If we can, we'll take the management out of band, but for remote installations that can be difficult (or costly). It's also worth mentioning that any halfway decent auditor will find open telnet for management, and they will ask you to put a stop to it. Interesting aside, the IOS ssh client isn't vrf aware (or at least, my IOS images don't have a vrf-aware ssh client), whereas the telnet client had the /vrf flag. That's sort of annoying. As for passwords, once you hit a certain critical mass, you'll want to go to tacacs+ for authentication. We mandate network authentication unless the device can't reach one of our authentication servers, at which point the device will allow the use of local recovery accounts (which have big huge complex passwords). We also do command level authorization via tacacs+ with command sets for different administrator groups. In other words, our "datacenter support" staff have the ability to log in, enable, config t, and "switchport access vlan 2-199" various ports, while our "network administrator" staff can do whatever they want. Regardless, every command typed is logged back at the ACS engines so that we can provide an audit trail and change history. We also pick up every device's configuration nightly, diff it against both the previous day's configuration and a known-good baseline, and then email those changes to our network engineering group mailbox. We don't get too complex with our ACLs, mostly because I'm off the mind that if you're writing ACLs of any significant complexity for your IOS based devices, you might not be using the right tool for the job. Not a knock against IOS, but if you're trying to manage a several-hundred rule firewall policy with numbered access-lists, you're not exactly doing yourself a favor. I guess some people get away with it, but I wouldn't want to be in that position. We do carry a number of uniform access-lists that are deployed to all of our IOS devices that are used in our policy-maps and to lock down our vtys. And secure our broadband interfaces. We try and write things in such a way that the same access-list can be deployed to every device without alteration. Your question as to whether this is expected in larger environments is hard to answer- different organizations get away with different standards for different reasons. I guess the thing that really drives compliance these days are the bigger compliance audits, like SAS70, SOX, PCI, etc.
|
|
#
?
May 25, 2009 04:49
|
|
|
Wow, there is some cool stuff in in jwh's post. It sounds like I'm about right, as my networks are small and not needing to pass any of the audits listed. I am keen to finish my study and move to a bigger firm with more responsibility, it's the only way I'm actually going to work with people like jwh and see their 'big league' methods of doing stuff in production. I'll have to look into what jbusbysack is talking about with object-grouping. Anyways, this thread has had me thinking since the weekend (when I found it). I was going to log a TAC request, but I thought it's a common problem I'm looking at and it's solution would probably help others. Ok, so we've got a company that has been email blacklisted. No doubt some idiotic sales or administration staff has clicked the 'BIG RED BUTTON TO WIN NOW!' one too many times and installed a mass mailing worm. Now these things rarely compromise mail servers (here is my sysadmin experience coming in), they'll usually just poo poo SMTP packets straight out to the WAN through an available interface. So the WAN IP that was blacklisted is a NAT IP, the Cisco router (877) that connects the mail server to the WAN NATs the WAN IP to the local IP of the mail server and other hosts. So somewhere on the LAN there is a host generating outgoing SMTP traffic, your mission (if you choose to accept it, I'm paid to accept it so I don't have that choice) is to find the source of the errant SMTP traffic so the PC can be either cleaned or set on fire or something. I decide to flex my IOS skills and want to run a modified debug from the Cisco router showing all outgoing SMTP traffic. To show all ip packet traffic we can use debug ip packet, which will generate so much output that finding the SMTP traffic will be hard and might even seize up the router. So we want to write an access list and then use that to modify the debug output. So I wrote ACL 180: Extended IP access list 180 10 permit tcp any any eq smtp I then ran the ip packet debug with the ACL as a modification: debug ip packet 180 detail So this works, I can see emails coming into the router and being forwarded to mail server. However I can't see OUTGOING traffic, I don't quite understand why. My ACL specifies any any, so any SMTP packet with any source and any destination address should be shown by the debug. So why can't I see the outgoing packets? What am I missing, goons?
|
|
#
?
May 25, 2009 07:10
|
|
|
Tony Montana posted:So I wrote ACL 180: You have to put the ACL in the proper direction on the interface. Inbound or Outbound. You have it set to inbound, meaning traffic coming from the internet, not in from your lan.
|
|
#
?
May 25, 2009 13:56
|
|
|
jwh posted:SSH yes, although it can be difficult to get everything in your environment running a crypto image. We have four-hundred IOS devices under management, and a small handful, probably no more than a dozen, are still telnet for administration. If we can, we'll take the management out of band, but for remote installations that can be difficult (or costly). It's also worth mentioning that any halfway decent auditor will find open telnet for management, and they will ask you to put a stop to it. Interesting aside, the IOS ssh client isn't vrf aware (or at least, my IOS images don't have a vrf-aware ssh client), whereas the telnet client had the /vrf flag. That's sort of annoying. Added in 12.4(20)T (according to the relnotes)
|
|
#
?
May 25, 2009 15:11
|
|
|
|
| # ? May 31, 2024 18:24 |
|
|
We're hiring a Network Engineer in Austin, TX. Must have CCNP or equivalent, will relocate. http://trionworld.com/career.php?jid=102
|
|
#
?
May 25, 2009 15:56
|
|
